Intel publishes PCIe Device Security Enhancements spec

March 17, 2018 ~ hucktech ~ 1 Comment

Intel just published a draft of their proposed PCIe firmware measurement and device authentication spec. This is one of the things @syncsrc and I were talking about at @shmoocon.https://t.co/Y4X8eErZQC
These enhancements allow hardware-backed firmware measurements.

— Paul McMillan (@PaulM) March 16, 2018

PCIe Device Security Enhancements Specification

PCI Express (PCIe) Devices may be composed of hardware (immutable) and firmware (immutable and mutable) components. Presently, Vendor ID/Device ID/Revision ID registers convey the hardware identify of a PCIe* Device and there is no defined mechanism to convey the firmware identity of a PCIe Device. In addition to the Device identity, PCIe specification defines various types of capability structures to convey PCIe Device features capabilities. Both the Device Identity and capability can be spoofed and used maliciously by an advanced adversary. This specification introduces the notion of PCIe* Device Firmware Measurement, a method of exposing the identity of Device firmware. The Device Firmware Measurement mechanism used in isolation, however, is subject to supply chain attacks such as counterfeiting and can also be spoofed by an advanced adversary. Additionally this specification introduces the notion of PCIe Device Authentication, which uses public key cryptography to defend against such attacks and to provide higher assurance about the hardware and firmware identities and capabilities. PCIe Device Authentication adapts the USB Authentication mechanism to PCIe—the new elements are the specific PCIe register interface and the associated mechanisms, plus some details that are necessarily specific to PCIe. PCIe Device Authentication result can be used in various scenarios such as: 1) a data center administrator can ensure all PCIe Devices are running appropriate firmware versions 2) system software can ensure a trusted Device is plugged in before enabling the PCIe Address Translation Services (ATS) for the Device. PCIe Device Authentication provides platforms with a way to make trust decisions about specific Devices. This in turn provides value to Device vendors because the Authentication feature is itself a valuable Device feature, and supports the detection of counterfeit and potentially malicious Devices. This specification details the requirements, interface and protocol for PCIe Device Firmware Measurement and PCIe Device Authentication. It also provides general guidelines for implementing these technologies in practice.

https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-security-enhancements-spec.html

Linux ACPI Time and Alarm Device (TAD) driver

March 16, 2018 ~ hucktech ~ Leave a comment

Rafael J. Wysocki of Intel submitted a patch to Linux ACPI for a ACPI Time and Alarm Device (TAD) driver:

Introduce a driver for the ACPI Time and Alarm Device (TAD) based on Section 9.18 of ACPI 6.2. This driver only supports the system wakeup capabilities of the TAD which are mandatory. Support for the RTC capabilities of the TAD will be added to it in the future. This driver is entirely sysfs-based. It provides attributes (under the TAD platform device) to allow user space to manage the AC and DC wakeup timers of the TAD: set and read their values, set and check their expire timer wake policies, check and clear their status and check the capabilities of the TAD reported by AML. The DC timer attributes are only present if the TAD supports a separate DC alarm timer. The wakeup events handling and power management of the TAD is expected to be taken care of by the ACPI PM domain attached to its platform device.

The ACPI Time and Alarm (TAD) device is an alternative to the Real Time Clock (RTC). Its wake timers allow the system to transition from the S3 (or optionally S4/S5) state to S0 state after a time period elapses. In comparison with the RTC Alarm, the TAD provides a larger scale of flexibility in the wake timers. The time capabilities of the TAD maintain the time of day information across platform power transitions, and keep track of time even when the platform is turned off.

More info: linux-acpi list archives, http://vger.kernel.org/majordomo-info.html

https://patchwork.kernel.org/patch/10287043/

Documentation/ABI/testing/sysfs-devices-platform-ACPI-TAD

Intel: hardware-based protection coming later this year

March 16, 2018 ~ hucktech ~ Leave a comment

[…]These changes will begin with our next-generation Intel® Xeon® Scalable processors (code-named Cascade Lake) as well as 8th Generation Intel® Core™ processors expected to ship in the second half of 2018.[…]

https://newsroom.intel.com/editorials/advancing-security-silicon-level/

https://newsroom.intel.com/news-releases/security-first-pledge/

SOF Project and Project ACRN

March 14, 2018 ~ hucktech ~ 1 Comment

Sousou: It would be great to see even more firmware move towards open source. #lfelc #openiot

— The Linux Foundation (@linuxfoundation) March 14, 2018

Sousou: We are launching new projects in areas where open source has not been used. We think it’s the right time to break this barrier. Specifically they deal with firmware and safety critical systems. These typically use closed, proprietary systems. #lfelc #openiot

— The Linux Foundation (@linuxfoundation) March 14, 2018

https://www.phoronix.com/scan.php?page=news_item&px=Sound-Open-Firmware

https://01.org/blogs/2018/introducing-acrn-and-sound-open-firmware

https://www.sofproject.org/

SOFProject: Sound Open Firmware is an open source audio DSP firmware and SDK that provides audio firmware infrastructure and development tools for developers who are interested in audio or signal processing on modern DSPs

ACRN: a flexible, lightweight reference hypervisor, built with real-time and safety-criticality in mind, optimized to streamline embedded development through an open source platform

https://projectacrn.org/

Check, 1, 2. Did you *hear*? Open source audio DSP firmware and SDK just announced at #lfelc. Learn more at https://t.co/D2ykT44BPR pic.twitter.com/tLNoLSXgyY

— Sound Open Firmware (@TheSOFProject) March 14, 2018

A big thank you to our supporting companies @intel, @neusoft, @aptiv, @ADLINK_Tech, and @LGUS (LGE) in leading the way to help bring #IoT innovations faster to the market! https://t.co/ujQcxW0hj0 pic.twitter.com/AJTKL0l0gD

— Project ACRN (@projectACRN) March 14, 2018

Thanks for having me, #lfelc + #OpenIoT Summit. Find out more about @projectACRN and @TheSOFProject in my blog. https://t.co/prqnAudn9Y #iamintel pic.twitter.com/kqOZOoGwHZ

— Imad Sousou (@imadsousou) March 14, 2018

Hi! Just found out about us? Learn more about us at https://t.co/sEdtykaoBq! pic.twitter.com/RqposLNnIf

— Project ACRN (@projectACRN) March 13, 2018

PCILeech3 and Memory Process File System released!

March 12, 2018March 12, 2018 ~ hucktech ~ Leave a comment

Targets 64-bit Intel systems running Windows.

Memory Process File System and PCILeech3 released! Map processes and virtual memory as files & folders!
Use memory dump files or PCIe DMA devices to edit live process memory. More info in blog entry. https://t.co/EfgwZeQSQA https://t.co/KuTVVzZc5j pic.twitter.com/DB6deQAe1G

— Ulf Frisk (@UlfFrisk) March 12, 2018

http://blog.frizk.net/2018/03/memory-process-file-system.html

https://github.com/ufrisk/pcileech

MicroPython for UEFI

March 8, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/DevZoneBlog/status/971860129946611712

[…]my team investigated several options to support Python 3.x in UEFI boot services. Because firmware is a constrained environment compared to OS runtime, we evaluated porting MicroPython to UEFI. MicroPython is a Python 3 variant designed for microcontrollers, with memory and size optimizations that make it ideal for pre-OS applications. […] Supporting Python 3.x & MicroPython in open source creates new opportunities for the TianoCore community to validate robust firmware solutions.[…]

https://software.intel.com/en-us/blogs/2018/03/08/implementing-micropython-as-a-uefi-test-framework

MicroPython for UEFI - Stack Overview

UEFI Python: CPython 3.x or MicroPython 3.4?

March 1, 2018 ~ hucktech ~ Leave a comment

In the beginning, Intel maintained CPython 2.x for UEFI. Current version is 2.7x. It looks like they may have stopped porting it, I am unclear.

In addition to Intel’s CPython 2.7x port, recently Google has proposed updating CPython 3.x to support UEFI, see:

Proposal for CPython v3.x for UEFI

I may’ve missed it, but I not sure Intel is involved with this effort.

At the UEFI Plugfest later this month, Intel is giving a talk about MicroPython for UEFI, “Implementing MicroPython in UEFI”. So I am *guessing* that Intel has chosen MicroPython over CPython. I presume this means that CPython 2.7x port is now abandonware. I hope the CPython 3.x proposal is not dead, because of this MicroPython effort. Hoping both get traction, but will not hold my breath…

https://micropython.org/
https://github.com/micropython/micropython

Differences between CPython and MicroPython:
http://docs.micropython.org/en/latest/pyboard/genrst/index.html
https://pypi.python.org/pypi?%3Aaction=search&term=micropython

Once once of these Python 3.x implementations works, and the CHIPSEC project ports from 2.x to 3.c, I can finally stop using v2!!

Oracle Solaris 11.4: UEFI Secure Boot on Intel HW

February 26, 2018 ~ hucktech ~ Leave a comment

Solaris UEFI Secure Boot now available for preview in #solaris114beta. Secure or Verified Boot checks signed firmware & software end-to-end from @Intel hardware, UEFI firmware, GRUB boot manager, & Solaris kernel. I worked on it with Ann Lai in 2016 before I left @OracleSolaris.

— Dan Anderson (@_Dan_Anderson) February 24, 2018

UEFI Secure Boot on Oracle Solaris x86 enables you to install and boot Oracle Solaris on platforms where UEFI Secure Boot is enabled. This feature provides more security by maintaining a chain of trust during boot: digital signatures of the firmware and software are verified before executing the next stage. No break occurs in the chain because of unsigned, corrupt, or rogue firmware or software during the boot process. This feature helps assure that the firmware and software used to boot Oracle Solaris on a hardware platform is correct, and has not been modified or corrupted.

https://docs.oracle.com/cd/E72435_01/html/E72445/grijo.html
https://docs.oracle.com/cd/E37838_01/html/E60974/index.html
https://blogs.oracle.com/solaris/oracle-solaris-114-beta-released
https://github.com/oracle/solaris-userland/tree/master/components/shim
https://www.phoronix.com/scan.php?page=news_item&px=Oracle-Linux-7-Update-4

I guess it's official, then. We've accidentally written the first stage bootloader and initial verification chain for a major commercial UNIX®. https://t.co/rj1B6ngs8Y

— Farce Majeure🌹 (@vathpela) February 25, 2018

At this point @vathpela deserves far more credit than I do

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) February 24, 2018

Upcoming Intel SGX Features Explained: Improved Virtualization, Configuration Management, and Key Sharing

February 22, 2018 ~ hucktech ~ Leave a comment

I explain recently announced SGX features (EPC oversubscription and Key separation & sharing) in my latest blog https://t.co/Kni4Cmc8mT

— Jethro Beekman (@JethroGB) February 22, 2018

https://t.co/m52bi79wYg
In our blog: In an update to the Intel Software Developer’s Manual (SDM), Intel detailed upcoming changes to the Intel® SGX instruction set. #intel #sgx #intelsgx #fortanix #RuntimeEncryption

— Fortanix (@fortanix) February 22, 2018

Upcoming Intel® SGX Features Explained: Improved Virtualization, Configuration Management, and Key Sharing
Jethro Beekman
February 22nd, 2018
In an update to the Intel Software Developer’s Manual (SDM), Intel detailed upcoming changes to the Intel® SGX instruction set. The new features improve Enclave Page Cache management in virtualized environments and allow the addition of additional information to sealing key derivation and attestation reports. The improvements allow for better multi-tenancy with EPC oversubscription and easier configuration and software update management. I will go into detail on each of these in this post.[…]

https://www.fortanix.com/blog/2018/02/upcoming-intel-sgx-features-explained/

Intel updates Intel-SA-00086 and 00088 advisory documents

February 21, 2018 ~ hucktech ~ Leave a comment

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

Intel announces firmware updates for multiple processors (and Retpoline document)

February 20, 2018 ~ hucktech ~ Leave a comment

Latest Intel Security News: Updated Firmware Available for 6th, 7th and 8th Generation Intel Core Processors, Intel Xeon Scalable Processors and More https://t.co/aZicmHhgki pic.twitter.com/CcqOUD2wHh

— Intel News (@intelnews) February 20, 2018

February 20, 2018

Latest Intel Security News: Updated Firmware Available for 6th, 7th and 8th Generation Intel Core Processors, Intel Xeon Scalable Processors and More

Over the past several weeks, we’ve been developing and validating updated microcode solutions to protect Intel customers against the security exploits disclosed by Google Project Zero. This effort has included extensive testing by customers and industry partners to ensure the updated versions are ready for production. On behalf of all of Intel, I thank each and every one of our customers and partners for their hard work and partnership throughout this process. Based on these efforts, we have now released production microcode updates to our OEM customers and partners for Kaby Lake- and Coffee Lake-based platforms, plus additional Skylake-based platforms. This represents our 6th, 7th and 8th Generation Intel® Core™ product lines as well as our latest Intel® Core™ X-series processor family. It also includes our recently announced Intel® Xeon® Scalable and Intel® Xeon® D processors for data center systems. The new microcode will be made available in most cases through OEM firmware updates. I continue to encourage people to always keep their systems up-to-date. There is also a comprehensive schedule and current status for planned microcode updates available online.[…]

https://newsroom.intel.com/news/latest-intel-security-news-updated-firmware-available/

[…]We are mindful of the fact that, in some cases, there are multiple mitigation techniques available that may provide protection against these exploits. This includes “Retpoline,” a Google-developed mitigation technique for Variant 2. For those interested in more information on Retpoline and how it works, we recently published a new white paper. Google has also posted information about Retpoline.[…]

https://support.google.com/faqs/answer/7625886

Click to access Retpoline-A-Branch-Target-Injection-Mitigation.pdf

EnclaveDB: A Secure Database using SGX

February 19, 2018 ~ hucktech ~ Leave a comment

The #SP18 proceedings are nearly complete! New papers publicly available for February: https://t.co/Knh8nuJpzq

— IEEE S&P (@IEEESSP) February 18, 2018

https://www.computer.org/csdl/proceedings/sp/2018/4353/00/index.html

EnclaveDB: A Secure Database using SGX
Christian Priebe , Imperial College London
Kapil Vaswani , Microsoft Research
Manuel Costa , Microsoft Research
We propose EnclaveDB, a database engine that guarantees confidentiality, integrity, and freshness for data and queries. EnclaveDB guarantees these properties even when the database administrator is malicious, when an attacker has compromised the operating system or the hypervisor, and when the database runs in an untrusted host in the cloud. EnclaveDB achieves this by placing sensitive data (tables, indexes and other metadata) in enclaves protected by trusted hardware (such as Intel SGX). EnclaveDB has a small trusted computing base, which includes an in-memory storage and query engine, a transaction manager and pre-compiled stored procedures. A key component of EnclaveDB is an efficient protocol for checking integrity and freshness of the database log. The protocol supports concurrent, asynchronous appends and truncation, and requires minimal synchronization between threads. Our experiments using standard database benchmarks and a performance model that simulates large enclaves show that EnclaveDB achieves strong security with low overhead (up to 40% for TPC-C) compared to an industry strength in-memory database engine.

https://www.computer.org/csdl/proceedings/sp/2018/4353/00/435301a405-abs.html

EnclaveDB – A Secure Database using SGX

Click to access enclavedb.pdf

Intel updates bug bounty program

February 14, 2018 ~ hucktech ~ Leave a comment

Awesome! Intel's bug bounty programs are now open to all researchers and side channel vulnerabilities are now in scope with awards up to $250,000 https://t.co/DIB0YpGiad

— Matt Miller (@epakskape) February 14, 2018

"Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000."https://t.co/4YKxqqCwt3

— David Schor (@david_schor) February 14, 2018

Updates to our program include

+ Shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers.
+ Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000.
+ Raising bounty awards across the board, with awards of up to $100,000 for other areas.

https://newsroom.intel.com/news/expanding-intels-bug-bounty-program/

Lenovo: Intel AMT MEBx Access Control Bypass

February 10, 2018 ~ hucktech ~ Leave a comment

Intel Active Management Technology MEBx Access Control Bypass
2018-02-08
Initial Release

Scope of Impact: Industry-wide
Lenovo Security Advisory: LEN-19568
Potential Impact: Remote access and control
Severity: Critical

Intel has issued an advisory for Intel vPro Active Management Technology (AMT) to all system manufacturers. The Intel AMT default configuration has weak security around the Management Engine BIOS Extension (MEBx) password.[…]

ThinkPad – Updates coming soon
ThinkServer- Researching

https://support.lenovo.com/us/en/solutions/LEN-19568

https://sintonen.fi/advisories/intel-active-management-technology-mebx-bypass.txt

https://www.intel.com/content/www/us/en/support/articles/000020917/software/manageability-products.html

Click to access Intel_AMT_Security_Best_Practices_QA.pdf

http://thinkdeploy.blogspot.com/2016/08/the-think-bios-config-tool.html

Intel updates for INTEl-SA-0068 and INTEL-SA-00088

February 8, 2018 ~ hucktech ~ Leave a comment

Intel updates the advisory pages:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

Intel Issues First Corrected Firmware Fixes for CPU Security Flaws

pwrtest.efi – UEFI Shell developer tool to test Intel/AMD RTC wake function

February 5, 2018 ~ hucktech ~ Leave a comment

The pwrtest.efi is an UEFI Shell tool that help developer to confirm RTC wake function from a system(Support on both Intel and AMD platform). Usage:

pwrtest -s3 -t 10 -w 60 ; 系統會在10 sec delay 後進入S3，然後在60 sec 後喚醒(Wake up)
pwrtest [-h|-s3|-s4|-s5|-s|-ss|-sx|-cb|-r]
-h help
-s3|-s4|-s5 ;選擇系統的Sx State (Intel platform)
-cb ;做coldboot ，我是透過 gRT->ResetSystem() 方式去做的
-ss ; 做Shutdown，我是透過 gRT->ResetSystem() 方式去做的
-sx value ; 支援AMD platform去做Sx State，因為填的SLP_TYP值不同.
value = 3/4/5 for AMD platform(S3/S4/S5)
value = 5/6/7 for Intel Platform (S3/S4/S5)
e.g,
pwrtest -sx 4 -t 5 -w 30 ; For AMD Platform, Put system to S4 after 5 sec, then wake after 30 sec.
pwrtest -sx 6 -t 5 -w 30 ; For INTEL Platform, Put system to S4 after 5 sec, then wake after 30 sec.
pwrtest -s3 -t 5 -w 30 ; For INTEL Platform, Put system to S3 after 5 sec, then wake after 30 sec.
pwrtest -r ; Warm boot
pwrtest -cb ; Cold boot
[…]

See URL to password-protected live.com-hosted zip containing freeware binary (not open source) in blog post.

http://biosengineer.blogspot.com/2018/02/uefi-shell-utility-pwrtestefi.html

Intel-SA-00088: Microcode updates for NUC/Compute Stick/Compute Card

February 5, 2018 ~ hucktech ~ Leave a comment

Intel starts round two of Microcode updates but only for Apollo Lake NUCs (NUC6CAY) and one Compute Card model: https://t.co/WwABOMRwsC

— Adrian Rueegsegger (@Kensan42) February 5, 2018

Intel-SA-00088 for Intel® NUC, Intel® Compute Stick, and Intel® Compute Card
Last Reviewed: 02-Feb-2018
Article ID: 000026620

In response to the recent Intel Security Advisory regarding Software/Side Channel Analysis, Kernel Memory Leak:

Intel has observed rare incidences of system reboots and other unpredictable system behavior after updating to microcode mitigating CVE-2017-5715 a.k.a. Spectre.
We have identified the root cause and made good progress in developing a solution to address it.
We have removed any BIOS posted recently that included the first microcode update and will post new BIOS updates as soon as they are ready.
If you have already updated BIOS with the first microcode update and you experience reboots or unstable system behavior, you can downgrade your BIOS to the previous version.
We will provide an update on this issue by February 15, 2018.

See Facts About Side-Channel Analysis for complete information and Frequently Asked Questions.[…]

https://www.intel.com/content/www/us/en/support/articles/000026620/mini-pcs.html

Not listed on the Intel Security Advidsory page, only listed on the NUC support page. 😦

https://security-center.intel.com/default.aspx

The microarchitecture of Intel, AMD and VIA CPUs: An optimization guide for assembly programmers and compiler makers

February 1, 2018 ~ hucktech ~ Leave a comment

A. Fog, “The microarchitecture of Intel, AMD and VIA CPUs” (a little light reading for Thursday) #pdf https://t.co/m3IkFXRj3y

— Arrigo Triulzi (@cynicalsecurity) February 1, 2018

The microarchitecture of Intel, AMD and VIA CPUs
An optimization guide for assembly programmers and compiler makers
By Agner Fog. Technical University of Denmark.
Copyright © 1996 – 2017. Last updated 2017-05-02.

Click to access microarchitecture.pdf

Linux UEFI Validation Project v2.2 released

January 26, 2018 ~ hucktech ~ Leave a comment

Features:

1. Add a wrapper script to setup build environment which makes
configuring LUV build systems very simple. It also makes it easy to
perform automated builds from a fresh clone of the git repository.

2. Write messages to a console and/or debug file so that someone with
access to only a serial console or netconsole will also know what is
going on. Currently, we only use the plymouth graphical manager to
display certain messages to the user.

The LUV git repository URL has been updated from
https://github.com/01org/luv-yocto.git
to:
https://github.com/intel/luv-yocto.git

See the full announcement for list of bugfixes an other changes.

https://lists.01.org/mailman/listinfo/luv

Intel: planning for security vulnerabilities in firmware

January 26, 2018 ~ hucktech ~ Leave a comment

Planning for Security Vulnerabilities in Drivers and Firmware

Written by Laura Warner | January 25, 2018

https://itpeernetwork.intel.com/planning-security-vulnerabilities-drivers-firmware/